The gang of cybercriminals behind the ‘Magic Malware‘ has launched yet another malicious spam campaign, attempting to trick U.K users into thinking they’ve received a notification for a “New MMS” message. In reality, once users execute the malicious attachment, it will download and drop additional malware on the affected hosts, giving the cybercriminals behind the campaign complete access to the affected host.

We are aware of two more registered malicious domains using the same email (iavorscaia@gmail.com), dating back to 2010:secretshoper.info/ujd/upit.php – back then used to respond to 91.206.201.222vertelitt.com/faw/pit.php – back then used to respond to 91.206.201.200

Responding to the same IP (178.208.91.5) is also the following domain ttnetbilglendirme.info.

Detection rate for the dropped _load.exe – MD5: bcadffb2117751fb89a4bb8768681030 – detected by 10 out of 46 antivirus scanners as Trojan.Win32.Generic!BT. It’s interesting to point out that the malware’s PE signature block refers to our colleagues at Mandiant.

Once executed the dropped sample phones back to the following C&C servers:94.23.234.3694.23.203.7494.23.219.182:10080